From mboxrd@z Thu Jan  1 00:00:00 1970
From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: accel/rocket: fix UAF via dangling GEM handle in create_bo
Date: Mon, 25 May 2026 19:45:17 +1000
Message-ID: <review-overall-20260521165720.2113571-1-tomeu@tomeuvizoso.net>
In-Reply-To: <20260521165720.2113571-1-tomeu@tomeuvizoso.net>
References: <20260521165720.2113571-1-tomeu@tomeuvizoso.net>
X-Mailer: Claude Code Patch Reviewer
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0

Overall Series Review

Subject: accel/rocket: fix UAF via dangling GEM handle in create_bo
Author: Tomeu Vizoso <tomeu.vizoso@gmail.com>
Patches: 1
Reviewed: 2026-05-25T19:45:17.712730

---

This is a single-patch security fix for a use-after-free vulnerability in the Rocket accelerator's GEM buffer object creation ioctl. The fix is correct and follows the standard DRM driver pattern (panfrost, lima, etnaviv) of deferring handle creation until all fallible operations succeed. The patch also catches a previously missing error check for `drm_mm_insert_node_generic()`. One pre-existing resource leak (IOMMU domain reference) remains unaddressed.

**Verdict: The patch should be accepted, with one pre-existing bug noted for follow-up.**

---

---
Generated by Claude Code Patch Reviewer